GCP Associate Cloud Engineer Practice Question

A project inherited from another team still contains a user with the basic Owner role at the project level. Management wants to follow the principle of least privilege but must ensure the user can continue to do the two tasks they perform regularly:

Grant and revoke IAM roles for other team members at the project level.
Change the project's Cloud Billing account when new cost centers are created. Which single predefined or basic role can fulfill both requirements without giving unnecessary additional permissions?

Replace Owner with IAM Admin (roles/iam.admin); it includes both billing updates and IAM policy changes.
Keep the basic Owner role (roles/owner) on the project for that user.
Replace Owner with Project Billing Manager (roles/billing.projectManager); it covers billing changes and IAM role grants.
Replace Owner with Editor (roles/editor); it already includes billing and IAM permissions.

Report Issue

Answer Description

The ability to change a project's billing account requires the billing.resourceAssociations.* and billing.resourceAssociations.update permissions. Granting or revoking roles on the project requires resourcemanager.projects.setIamPolicy. Among Google-defined roles, only the basic Owner role (roles/owner) contains both sets of permissions. Editor lacks IAM and billing-association permissions, Project Billing Manager (roles/billing.projectManager) can change the billing account but cannot modify IAM policies, and IAM Admin (roles/iam.admin) can manage IAM but has no billing privileges. Therefore, retaining the Owner role is the minimum way to satisfy both tasks with a single role, even though it grants many additional permissions.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.